Again,
I remember this thread a while back. Weren't the Checkpoint reps also a
tad upset this summer at BlackHat ?? I thought Checkpoint FW-1 was the most
misconfigured firewall deployed, or am I mistaken.. :)
/mark
At 04:14 PM 11/28/00 -0600, Larry Paul wrote:
> >Emily G. Cohen wrote:
> >| Check Point Software Technologies Ltd. would like to assure its
> >| customers, security experts, and others that there is no, and never
> >| has been, an "agreement" or relationship between Check Point Software
> >| and the Mossad, or any other branch of the Israeli government or
>military,
> >| to create a "back door" into Check Point products.
> >|
> >| These are false and malicious rumors that have been circulating
> >| since Check Point became successful, specifically targeted at
> >| damaging the company, and they are always from "anonymous sources."
> >| Check Point takes these rumors seriously, and if anyone has information
> >| on the source/s of these rumors, we would be very interested in hearing
> >| from you, so that we can take appropriate action.
> >|
> >| Check Point FireWall-1 is the most widely installed network security
> >| solution in the world and no customer has ever reported a security
> >| breach of this nature. Check Point FireWall-1's customer list includes
> >| accounts with the highest level of security consciousness such as U.S.
> >| national and foreign governments, the world's leading financial
>institutions,
> >| telcos and ISPs. All Check Point FireWall-1 customers benefit from the
> >| product's patented Stateful Inspection technology ensuring the highest
> >| level of enterprise security available today.
> >|
> >| Emily Cohen, Director of Corporate Communications
> >| Check Point Software Technologies, Inc.
> >| 400 Seaport Court, Suite 105
> >| Redwood City, CA 94063
> >| Tel: 415-562-0400 x228
> >| Fax: 415-562-0410
> >| www.checkpoint.com
> >|
>
>*-----Original Message-----
>*From: [EMAIL PROTECTED]
>*[mailto:[EMAIL PROTECTED]]On Behalf Of Marcus J. Ranum
>*Sent: Tuesday, November 28, 2000 1:29 PM
>*To: [EMAIL PROTECTED]
>*Subject: RE: Checkpoint and DoD Firewalls
>*
>*
>*Ron DuFresne <[EMAIL PROTECTED]> asks:
>*
>*>> the nsa would take great interest in knowing what backdoors
>*>> the 'ha-Mossad le-Modiin ule-Tafkidim Meyuhadim' might have
>*available to
>*>> them.
>*>>
>*>
>*>Isn';t this rumor of backdoors in FW-1 one of Marcus' pet peves? Doesn't
>*>he have an outstanding award offered for those that can actually backup
>*>the rumored claim with positive proofs?
>*
>*It sure used to be one of my pet peeves. I used to compete with
>*Checkpoint, and, while I never particularly liked their product,
>*I don't like people who play "dirty" in this industry. Marketing
>*against a competitor by sleazy innuendo just makes all security
>*products vendors look lame.
>*
>*2 years (or maybe 3 or 5, I forget) (a long time) ago I got so
>*sick of it that I offered I think it was $4,000 out of my own
>*pocket to anyone who could _prove_ there was a _trapdoor_ in
>*Checkpoint. That doesn't include ordinary lameness such as the
>*stuff Dug Song's discovered - but a real honest-to-goodness
>*trapdoor that says "Mossad Enter Here" in binary. So far nobody
>*has come close to collecting (though one guy had a lot of useful
>*information on where the misinformation had come from)
>*
>*Basically, here's what I've managed to find out: An early version
>*of FW-1 was examined by people from X group at NSA. They wrote
>*a classified technical report and one of the things in it was
>*an observation that allegedly some of the files in FW-1 contained
>*hardcoded IP addresses of machines in Israel. The modules in
>*question were apparently the SNMP trap generation code, which
>*was based on the CMU SNMP library - which, I believe, used to
>*have an option where you could hardcode default addresses for
>*minimal configurations. This is apparently what had happened.
>*I don't know the individuals who did this particular assesment,
>*but I've not been generally impressed by the technical skills
>*of some of the spooks who've done product assessments. I've seen
>*security assessment specialists who don't know C, for example.
>*My guess is that the guys in X group had a hissy fit over nothing
>*and made a mountain out of a molehill.
>*
>*So then what happens? A sales rep from one of Checkpoint's
>*competitors (no, it wasn't someone from where I worked) apparently
>*got wind of this, and quickly spread word about it, in an attempt
>*to grab some market opportunity. The sales guy left that vendor
>*about a year later, but the damage was done. I've had "security
>*experts" look me in the eye and tell me they _know_ there's a
>*trapdoor, but when I ask them to prove it they backpedal into
>*"well, a friend, who I really trust, told me about it in confidence."
>*Yeah, whatever.
>*
>*So, that's the story.
>*
>*I don't think Mossad would do something so amateurish and
>*obvious, frankly. Maybe it was actually an FBI hole they found. ;)
>*
>*mjr.
>*-----
>*Marcus J. Ranum
>*
>*Chief Technology Officer, NFR Security, Inc.
>*Work: http://www.nfr.com
>*Personal: http://www.ranum.com
>*
>*-
>*[To unsubscribe, send mail to [EMAIL PROTECTED] with
>*"unsubscribe firewalls" in the body of the message.]
>*
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
